Latest Report On Data Breaches: More Outsider Attacks, Many Of Them State-Sponsored

from the also,-you-will-fall-victim-to-phishing dept

Post sponsored by

Every year, Verizon releases a fairly detailed report looking into data breaches, and the recent release on the 2013 report is quite interesting, highlighting how much state-sponsored attacks are the root cause of data breaches. Not surprisingly, there's a strong correlation between that and espionage (rather than direct financial benefit) being the main reason for the attacks. And, also not surprising: China is a major source of these attacks. However, one thing the study does make clear is that for all the people who claim that insiders are the biggest threat, that's less and less likely true, at least on a pure numbers basis. Insiders may be able to do more direct damage per breach, but it seems clear that in terms of sheer numbers of attacks, it's all about outsider attacks these days. There's actually been a pretty noticeable shift on this front over the past few years:

The report is actually fairly entertaining and quite readable. It does note that the rise in data on state-sponsored attacks might not be due to an actual increase in those attacks, but better data and better evidence collection -- but either way, it does appear that China continues to be a pretty big threat when it comes to outside attacks for espionage purposes. On the financial side, it's apparently all about Romania.

Separately, there's a fantastic chart that lays out three major types of attackers, who they target and how they generally do what they do. It's a pretty handy chart for understanding the overall layout of data breaches and how they normally occur:

I'm actually somewhat surprised that phishing isn't used more often across all types, as the report also notes that phishing is astoundingly effective:

We try to avoid rolling out scary memes like “you will be compromised,” but when it comes to phishing attacks, that’s exactly what the data tells us.
Phishing e-mails vary in quality, payload, and purpose, but they all share the same initial goal: get the user to take action. Getting the user
to click (on a link or attachment) is the first obstacle for all phishing campaigns. So how many e-mails would it take to get one click?

[....] It’s pretty easy to see why this is
a favored attack for espionage campaigns and the answer to our question is “three.” Running a campaign with just three e-mails gives the attacker a better than 50% chance
of getting at least one click. Run that campaign twice and that probability goes up to 80%, and sending 10 phishing e-mails approaches the point where most attackers would be able to slap a “guaranteed” sticker on getting
a click. To add some urgency to this, about half of the clicks occur within 12 hours of the phishing e-mail being sent.

That said, the report notes that merely getting a click doesn't mean the person will put in their information, or create a true compromise, but it is somewhat astounding nonetheless.

The report also notes what a disaster it is that we still use one-factor passwords (i.e. typical passwords) for most things, rather than (at the very least) two-factor authentication, noting that this would kill off 80% of successful hacks.

Another interesting point in all of this is that the researchers note they've seen no evidence that attackers are targeting cloud-based services over in-house ones. It's not that there aren't attacks on cloud services, it's just that it doesn't seem like a clear thing that attackers focus on. Of course, a separate research report notes just how much investment is going into the enterprise cloud these days, so I'm guessing that cloud providers are going to become increasingly large targets. While they may have stronger security, breaking in will probably be so valuable to attackers that it'll be worth attacking that stronger fortress.

And, finally, if you want to be scared about how many of these attacks have probably gone on and aren't known about yet, well, the end of the report is not particularly comforting. It notes that, from the data the researchers are using, it shows that initial attacks happen pretty quickly (within a few hours, which is up from minutes a few years ago, but still relatively quick), and getting data out comes pretty soon after that. But (and here's the scary part) actually having those breaches noticed? That doesn't happen for months and more often than not happens because another outsider discovers it, rather than an insider or an internal system raising the alarm.

In about a third of those cases, the "outsider" is a totally unrelated party, but in 9% of cases, it's a customer who discovers the data breach. That can't be good for customer confidence.

There's a lot more data in the report, and it's well worth reading. However, as we've been talking so much lately about privacy and security when it comes to governments -- mainly with a focus on activities by intelligence agencies in the US and other allies -- it's worth nothing other forms of attacks as well, and the trends related to them. The growth of attacks that are really a form of espionage, rather than just organized crime, seems like a noteworthy, if not all that surprising, finding.

Re: Re:

You'd be surprised at how sophisticated it's becoming. Some links point to very similar addresses to the point the average joe may be tricked into clicking. I told my father to never click links or open attachments without doing some basic check (hover mouse, check with the source if the mail is legit by replying and asking if it was sent knowingly etc etc) and to ask me if he wasn't sure. He came with an e-mail that was so perfectly crafted that it looked like it was coming from the right place (ie: the from part showed the official domain) and the link not only pointed to an url that seemed legit but also had the expected format and provided content one would receive regularly from that source. After looking at the e-mail it seemed suspicious to me regardless so I called the source and asked about that specific mail. Turned out to be one very well crafted phishing attack.

Most companies do not send e-mails with links anymore so I've decided to instruct my family to distrust links and attachments by default. So far we've had only one semi-successful infection (stopped by Comodo Firewall at the time) in 4 years. Seems reasonable considering my parents are the type of computer illiterates that could probably be tricked by the Nigerian prince e-mail..

Re:

I thought exactly that. However could you consider it a data breach if it's obtained via taps directly installed in the infra-structure? I mean, the companies cannot control or defend against such a thing so technically it's not a breach but a systemic failure.

Re: Re:

If you're reading your email with a web browser: you're an idiot. It's one of the most insanely stupid things you can do with a computer.

No, I'm not going to bother to post the multi-page explanation for that in a text box on TechDirt.

Instead, I'll observe that in my work doing penetration testing that my success rate exploiting people who read their email with a web browser is 100.00%. It's never failed. It doesn't matter whether they're noobs or programmers, corporate executives or graduate students, engineers or accountants. It doesn't matter which browser they use. It doesn't matter which mail backend they're talking to. It doesn't matter.

Now I'm sure some of you reading this will be inclined to reply "but what about X?" where X might be a firewall, a mail filtering appliance, a blacklist, a phishing site repository, a Javascript sanitizer, a web proxy, yadda yadda yadda. No. They don't matter either. If you read your email with a web browser then you're holding up a big sign that reads "exploit me" and no doubt someone out there will eventually take you up on the offer.

Good grief, doesn't anyone know how to read headers these days? When you get an email that claims to be from BankOfNebraska, did it actually come from a server at bankofnebraska.com? If it actually came from dsl3241.users.orlando.shadyisp.com, that should tell anyone with half a brain that it is a scam.

Re:

I have had great success in (AUTHORIZED) phishing attacks by registering a similar domain. So in your example for the low price of $15 I would probably use bank-of-nebraska.com and the headers would show it cam from bank-of-nebraska.com $30 gets me bankofnebraska.co 98% of the people not in IT dont even bat an eye at a .co domain ;-)

Re: Reading headers

I agree that your examples would fool a large percentage of the population. However, the percentage of phishes I receive with such good headers is in the single digits.

My modest proposal is for email reading programs to alert users when an email's "From:" address does not match the sending domain. Needless to say, there are many cases where this is perfectly normal, so you would need a way to whitelist certain senders/domain combinations.

Phishing is the initial vector for most breaches

In the Table 1: Profiling threat actors - the author notes that he is 'surprised that Phishing isn't more often used accross all types'.
With few exceptions listed, aren't all the malware and hacking actions listed actually initiated with Phishing in most cases?